Re: Ipv6 for the content provider

[Owen DeLong <owen () delong com>]

On Jan 26, 2011, at 11:18 AM, George Bonser wrote:

> > Application level support on Linux/FreeBSD/NetBSD is 98% and rising
> > every day.  Apache, BIND, Postfix, they all work great.  The "problem"
> > is you may need config adjustment.  Your Apache ListenOn's will need
> > IPv6 added, your Postfix "local nets" ACL will need your IPv6
> addresses
> > added, and so on.
> >
> > And that is the crux of the migration issue.  Updating all the
> > configuration in all the apps to both do the right thing and be secure
> > in IPv6.  That is where all of your work will be, particualrly if you
> > have custom systems to manage IP's or configs.
> >
> > --
> >       Leo Bicknell - bicknell () ufp org - CCIE 3440
> >        PGP keys at http://www.ufp.org/~bicknell/
>
> We're still having some problems with linux and java.  For example, a v6
> socket is supposed to support either protocol. But for some reason, and
> I don't know if this is just one particular kernel, if communications is
> attempted under some circumstances with a v4 address on a dual-stacked
> host, the packets go out on the wire with v6 mapped v4 addresses
> (::ffff:x.x.x.x) which isn't supposed to happen.  So everything isn't
> quite there yet for dual-stacking all applications.  The "safest"
> approach on paper is v6 native using NAT64/DNS64 but getting the NAT64
> piece in place at production quality and scale is a problem at this
> point.

That's definitely a bug. Mapped addresses should never hit the wire.

Dual stack is quite a bit safer than NAT64/DNS64. The bug you describe
should be fairly trivial to get fixed if someone can isolate which product
actually has the bug. Have you tried the current kernel under the existing
other components? If swapping the kernel doesn't fix it (I think the
mapped address on the wire bugs in the Linux kernel were removed
fairly early in the 2.6 chain IIRC), then it's probably Java.

Owen